Secure Android Apps- nVisium Security
- 1. Secure Android ApplicationsThe OWASP WayJack ManninoCEO/Chief “Breaker”ISSA DC- June 21, 2011https://www.nvisiumsecurity.comhttp://twitter.com/jack_manninohttp://www.linkedin.com/pub/jack-mannino/7/2b7/562©2011 nVisium Security Inc.
- 24. How do we plan to achieve this?OWASP Mobile Security Project
- 29. Mobile World Meets Security WorldOnce upon a time, all phones could do was make phone calls….
- 40. Do people use these things and their “apps”?Mobile World Meets Security World- Show Me The Money!!“Gartner Forecasts Mobile App Store Revenues Will Hit $15 Billion in 2011” (http://techcrunch.com/2011/01/26/mobile-app-store-15-billion-2011/)“Industry first: Smartphones pass PCs in sales” (http://tech.fortune.cnn.com/2011/02/07/idc-smartphone-shipment-numbers-passed-pc-in-q4-2010/)
- 43. Most popular mobile platform aroundPeople Use Android….Now What?Huge market share + attack monetization = target
- 45. In the past 2 months, 4 times as much Android malware as all of 2010 (Source: Friend @ Lookout Mobile Security)
- 50. Masqueraded with titles like “Angry Birds Rio Unlock”It Gets WorseMobile developers are partying like it’s 1999
- 55. Have we learned anything?!Android Crash Course- OverviewLinux-based operating system
- 93. Single, focused thing a user can do (simple definition)Source: http://developer.android.com/reference/android/app/Activity.html
- 96. Primary way of passing around data within AndroidAndroid Crash Course- EssentialsContent Provider
- 102. Threat Modeling Android AppsThreat modeling is used to better understand an application’s surface for attackDon’t assume the sky is falling…..
- 110. Now we can see the bigger pictureThreat Modeling Android Apps
- 115. OWASP Mobile Top 10 Risks and ControlsTop 10 RisksInsecure or unnecessary client-side data storageLack of data protection in transitPersonal data leakageFailure to protect resources with strong authenticationFailure to implement least privilege authorization policyClient-side injectionClient-side Denial Of Service (DoS)Malicious third-party codeClient-side buffer overflowFailure to apply server-side controls
- 116. #1 Insecure or Unecessary Client-Side Data StorageDo I really have to store it?#2 Lack of Data Protection in TransitNo SSL/TLS
- 136. Do you really need 3 years of GPS info on the device?#4 Failure To Protect Resources With Strong AuthenticationThis risk presents itself in multiple ways:
- 147. Location#5 Failure To Implement Least Privilege Authorization PolicyOverly permissive permissions granted to apps
- 179. Perform load testing to ensure resources are released as intended#8 Malicious Third-Party CodeLots of free to use code
- 182. Perform code review before using third party libraries#9 Client-Side Buffer OverflowOn Android, applies to native apps
- 184. If you are using the standard SDK, less to worry about
- 187. Perform bounds checking on native code you develop#10 Failure To Apply Server-Side ControlsThis should be familiar territory
- 197. OWASP Top 10 for web covers these issuesWhere Do We Go From Here?
- 202. Can’t fix the hard stuff without fixing easy stuffQuestions?Got them? Ask them